A funny piece at Slate rants about the “security” questions increasingly asked by financial institutions in a doomed attempt to foil hackers and phishers. It links to this funnier rant by David Weinberger. (I’ve also complained about the privacy concerns related to this before, but that’s not so funny). As Slate sums up the idiocy:
The problem isn’t a failure of imagination on the part of the question-conjurers. It’s the impossibility of coming up with a question that’s easy to answer but hard to guess. After throwing in the caveat that “there is no one perfect question,” the proprietor of Good Security Questions lists 16 that he considers the best. Almost all of them are terrible. What was your childhood nickname? Didn’t have one, sadly. What is the name of your favorite childhood friend? Do Legos count as a friend? What is your oldest sibling’s birthday month? I’m guessing it would take a hacker two tries to get to February.
I’ll add two more problems. First, oftentimes more than one person has legitimate access to the account, like a spouse. Are they asking me about my first pet or hers? Second, there is often more than one possible answer. Who is my favorite childhood friend? I seem to recall that data changed weekly, and that many schoolyard fights emerged over the constant churn in “best” friends.
Not that I have a brilliant solution. I guess it’s another possible argument in favor of what those Identity Gang people are up to…